eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
When President Xi Jinping arrived in Washington, D.C., last week, the U.S. government had already started threatening to levy sanctions against China for continuing to aid, and in many cases sponsor, domestic hackers in efforts to steal sensitive information from the U.S. government and companies.
Yet an 11th-hour agreement between China and the United States promises to put a halt to any government cyber-operations designed to boost domestic industries. In a joint press conference, President Obama and President Xi pledged that both countries would eschew economic espionage in the future.
“Both governments will not be engaged in or knowingly support online theft of intellectual properties,” President Xi told assembled press. “And we will explore the formulation of appropriate state, behavior and norms of the cyber-space.”
The agreement falls short in many areas, however. For one, both countries are promising only not to conduct economic espionage. Cyber-espionage conducted for national-security reasons remains a legitimate activity. The recent compromises of the U.S. Office and Personnel Management and health insurance provider Anthem—companies that both could justifiably be considered valid national-security targets—were attributed to Chinese actors and are still targets today.
For that reason, government agencies and companies will not see any respite because of the agreement. Rather, they will both have to beef up their defenses because attackers have no reason to stop, Dmitri Alperovitch, co-founder and CTO of security services firm CrowdStrike, told eWEEK.
“I think with the OPM breach—that’s on us,” he said. “You cannot blame the Chinese for trying. Our own people have said they would have done the same thing, if they had a chance.”
As long as the costs are worth the benefits, such attacks will continue, Alperovitch said.
More significantly, the agreement has very little structure, although few details have been provided to the media. The agreement fails to define the boundaries of what constitutes economic, versus national, espionage and fails to discuss penalties for exceeding those boundaries. Without the former, any nation can claim that an attack is for national security reasons.
But more importantly, without a framework for sanctions or other policy measures to punish countries that hack other nations, cyber operations will continue to target government agencies and companies, said Jason Healey, a senior fellow with the Cyber Statecraft Initiative at the Atlantic Council, a policy think-tank. In a report published in September, the analyst group estimated that burgeoning cyber-crime and cyber-espionage could cost the worldwide economy up to $90 trillion in unrealized benefits.
While the U.S.-China agreement on economic espionage has set the stage for further discussions, it needs stiff penalties to deter each side from crossing the newly drawn lines. Deterrence, in general, requires that the participants worry that they will be caught and, if they are caught, they will face meaningful punishment. Without those two conditions, deterrence is not possible, Jen Ellis, senior director of community and public affairs for Rapid7, told eWEEK in a recent interview.
“So when you look at it in that context, the reality is that deterrence is pretty unlikely to work for cyber,” Ellis said. Attributing hacks to specific actors or nations is difficult, and levying punishment when the economies of China and the United States are so intertwined is unpalatable for politicians on both sides, she added.
U.S.-China Cyber-security Agreement Lacks Teeth, Has Holes
Yet some current sanction processes could point the way. Sanctions could resemble those used by the U.S. Department of Treasury to penalize companies that do business with terrorists or that are fronts for terrorist organizations. A handful of organizations and companies are added to the Specially Designated National List that freezes their assets and blocks U.S. citizens from doing business with them, Healey said.
The same process could work against companies that support hacking or use hacking as a way to get information on a rival, he said.
“This would be the same sanctions authority that we have used for everything else,” he said. “You have to be able to justify the penalty in court an international court. It is a relatively high bar.”
Without sanctions, China will likely continue to infiltrate corporate systems and government networks because there is just no downside for the nation. For any single nation or company, stealing intellectual property could put them on the fast track to catch up with rival corporations. China has everything to gain and nothing to lose, so far, Healey said.
“There has never been any cost to the Chinese for espionage,” Healey said. “They have never even had to care.”
And with every compromise, the recent agreement becomes less meaningful, and the Internet continues to remain a lawless place, he said. The United States should not rest with a simple agreement, said Healey.
“There is a danger in the sense that you think you have done something,” he said. “Because you have had no wind in your sails for years, the first breeze seems like something.”